Re: DNS contamination

[dvv () sprint net (Dima Volodin)]

Paul A Vixie writes:
> > Ignoring additional records works pretty well for me.
>
> This is harder than it looks.  Sometimes the glue A RRs are the only ones
> you can get -- you need them in order to ask questions in the domain they
> are in, so without them you have infinite regress.

As I said, it works fine for me. When no A record for a nameserver is
available, named just issues a proper request for it to whatever server
might now about it. Here's the patch:

*** named/ns_resp.c.old Mon Nov 11 01:36:51 1996
--- named/ns_resp.c     Thu Jan 23 19:01:30 1997
***************
*** 272,278 ****
        qdcount = ntohs(hp->qdcount);
        ancount = ntohs(hp->ancount);
        aucount = ntohs(hp->nscount);   /* !!! */
!       arcount = ntohs(hp->arcount);
        free_addinfo();         /* sets addcount to zero */
        cp = msg + HFIXEDSZ;
        dpp = dnptrs;
--- 272,281 ----
        qdcount = ntohs(hp->qdcount);
        ancount = ntohs(hp->ancount);
        aucount = ntohs(hp->nscount);   /* !!! */
!       if (qp->q_flags & Q_PRIMING)
!               arcount = ntohs(hp->arcount);
!       else
!               arcount = 0;
        free_addinfo();         /* sets addcount to zero */
        cp = msg + HFIXEDSZ;
        dpp = dnptrs;


It's a darn dirty kluge, but it works.

The correct way to do that is to make sure that the responding server
is in the hierarchy chain of an additional record, and ignore the record,
if it's not.


Note the Reply-To header.

Dima
- - - - - - - - - - - - - - - - -